limit console login to AD connected Xserve

[kcary]

This topic
https://www.afp548.com/forum/viewtopic.php?forum=24&showtopic=9889
is one of the best I can find on the Internet on this subject, but it doesn’t answer the question, which is:

I have AD+Kerberos working on my 10.6 Snow Leopard Unlimited Server Xserve, how do I use AD credentials for services (e.g. web logins, mail, etc.) without allowing unauthorized accounts to log in on my console?

The Xserve behaves like a default configuration on a Windows desktop, i.e. ANYONE in the domain can walk up to the console and log in with their AD credentials. Now, in windows, I know how to fix that, I remove domain users from the local users group and I’m done. Now I have to put a smaller group or individual users into local users to let the desired persons log in.

However, I don’t see how to do that on a Mac, or whether its possible.

Let’s use a concrete example or two.

1) In the domain CLOWNS, there is one user Bozo. I want to let Bozo log into this Xserve on the console. However, I want to keep all the other clowns off the console. I don’t want to make Bozo an admin, just give him access rights, while restricting the rest of the clowns. Possible?

2) Also in the domain CLOWNS, there is a group called KeystoneCops. I want to let the members of Keystone Cops get a console login, but everyone else, not so much. They can pick up their mail, authenticate to the webserver, post their blog, but not have a home directory and a console login. Can this be done & how?

Hope I’ve been clear, thanks so much!

[Greg Neagle]

System Preferences->Accounts

Click Login Options near the bottom left; authenticate as an admin if needed to unlock.

“Allow network users to login to this computer” should be checked (otherwise no AD users could log in). Click the Options… button immediately to the right.

An “Allow login to this computer to:” sheet will appear. Select “Only these network users”, and click the plus icon to add the specific users you’d like to allow.

This method only allows you to add specific individual network users.

I don’t know if it’s officially supported, but it looks like it’s possible to add network groups either from the comamnd-line (using dseditgroup) or using Workgroup Manager, and adding the network group to the local com.apple.loginwindow.netaccounts group (which may not exist until you’d added one network user to the list of network accounts allowed to login).

-Greg

[kcary]

[QUOTE][u]Quote by: gneagle[/u][p]System Preferences->Accounts

Click Login Options near the bottom left; authenticate as an admin if needed to unlock.

“Allow network users to login to this computer” should be checked (otherwise no AD users could log in). Click the Options… button immediately to the right.

An “Allow login to this computer to:” sheet will appear. Select “Only these network users”, and click the plus icon to add the specific users you’d like to allow.
-Greg[/p][/QUOTE]

Thanks, Greg. I authenticate, my list of users comes up. I change to ‘only these users’ radio button. I select one, hit done and bam, the allow network users to log in a login window checkbox gets unchecked. I look back under options (re-checking or not re-check allow first) and there is no one it the list.

To be clear, if its checked, ANYONE in the domain can log in at the login window.

Any thoughts on how to get it to ‘take’? Is there a way to do this in Workgroup Mgr?

[Greg Neagle]

I just checked it again on a Snow Leopard server here, and it works as I described; in fact, I was able to select Network Groups as well, which I don’t remember being able to do in the past. (Maybe this is new in SL).

[kcary]

[QUOTE][u]Quote by: gneagle[/u][p]I just checked it again on a Snow Leopard server here, and it works as I described; in fact, I was able to select Network Groups as well, which I don’t remember being able to do in the past. (Maybe this is new in SL).[/p][/QUOTE]

Yes, I see that, too. There seems to be some corruption?, misconfiguration? that is keeping the server (Snow Leopard Unlimited) from saving the selections I make using this process. Not only does it not save them, but if I make them, it clears the checkbox allowing network users to log in at the login window.

Any thoughts on how to fix this so it accepts my selection?

[Huxlay]

[QUOTE][u]Quote by: kcary[/u][p][QUOTE][u]Quote by: gneagle[/u][p]I just checked it again on a Snow Leopard server here, and it works as I described; in fact, I was able to select Network Groups as well, which I don’t remember being able to do in the past. (Maybe this is new in SL).[/p][/QUOTE]

Yes, I see that, too. There seems to be some corruption?, misconfiguration? that is keeping the server (Snow Leopard Unlimited) from saving the selections I make using this process. Not only does it not save them, but if I make them, it clears the checkbox allowing network users to log in at the login window.

Any thoughts on how to fix this so it accepts my selection?[/p][/QUOTE]
Thanks for you information i newly join and your post help me.

[Author]

Posts